[rt-users] Please help with RT::Authen::ExternalAuth with nested LDAP/AD groups

Landon Stewart lstewart at internap.com
Fri Jul 15 14:23:58 EDT 2016

On Jul 15, 2016, at 11:03 AM, Nilesh <me at nileshgr.com<mailto:me at nileshgr.com>> wrote:

Your setup looks perfectly fine, but I may be missing something because I
haven't used AD. I use OpenLDAP with rt-ldapimport script for authentication and
rt-ldapimport --no-users --import to sync users (enabled Group member syncing in
the importer). Works good. May be give that a try?

I guess my next step would be figuring out how to sync the groups so that our RTIR_WEB_SC_ACCESS group users would be within the "DutyTeam" group in RTIR.  I believe you are right in that rt-ldapimport would help with that I think but it looks like a nightmare to set up.  I'll burn that barn down when I come to it I guess.

I think my issues with authentication lay within the following part of the configuration.  I'm not sure what the group* configuration variables are for exactly because they are loosely documented and there are I've found very few examples via google and (almost?) none related to nested groups.

        'base' => 'OU=iweb,DC=corp,DC=iweb,DC=com',
        'filter' => '(objectClass=*)',
        'd_filter' => 'UserAccountControl:1.2.840.113556.1.4.803:=2',
        'group' => 'RTIR_WEB_SC_ACCESS',
        'group_scope' => 'sub',
        'group_attr' => 'memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS',
        'group_attr_value' => 'OU=Groupes,OU=iWeb,DC=corp,DC=iweb,DC=com',

Landon Stewart
Lead Analyst - Abuse and Security Management
📧 lstewart at internap.com<mailto:lstewart at internap.com>
🌍 www.internap.com<http://www.internap.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20160715/cff779ba/attachment.htm>

More information about the rt-users mailing list